mirror of
https://gitlab.com/pulsechaincom/prysm-pulse.git
synced 2025-01-10 19:51:20 +00:00
394bd1786a
* fixing squashing changes, migrates beacon , account, and auth endpoints on validator client * adding accounts endpoints * fixing tests and query endpoints * adding auth endpoint and fixing unit tests * removing unused files and updating node file to skip gRPC * ineffectual assignment fix * rolling back a change to fix e2e * fixing issues with ui * updating with webui version 2.0.5 * updating package name flag in readme * removing restore assets functions * adding nomemcopy flag to see if vulenerability scan passes * making data non compressed to avoid copy vulnerability * Update beacon-chain/rpc/eth/shared/structs_validator.go Co-authored-by: Raul Jordan <raul@prysmaticlabs.com> * updating site_data, and skipping static analysis on file * adding back deprecation comment notice * updating workflows to ignore generated * addressing radek comments * missed a conversion --------- Co-authored-by: Raul Jordan <raul@prysmaticlabs.com>
198 lines
5.4 KiB
Go
198 lines
5.4 KiB
Go
package rpc
|
|
|
|
import (
|
|
"bufio"
|
|
"bytes"
|
|
"context"
|
|
"encoding/hex"
|
|
"fmt"
|
|
"io"
|
|
"net/url"
|
|
"os"
|
|
"path/filepath"
|
|
"strings"
|
|
|
|
"github.com/fsnotify/fsnotify"
|
|
"github.com/golang-jwt/jwt/v4"
|
|
"github.com/pkg/errors"
|
|
"github.com/prysmaticlabs/prysm/v4/crypto/rand"
|
|
"github.com/prysmaticlabs/prysm/v4/io/file"
|
|
)
|
|
|
|
const (
|
|
AuthTokenFileName = "auth-token"
|
|
)
|
|
|
|
// CreateAuthToken generates a new jwt key, token and writes them
|
|
// to a file in the specified directory. Also, it logs out a prepared URL
|
|
// for the user to navigate to and authenticate with the Prysm web interface.
|
|
func CreateAuthToken(walletDirPath, validatorWebAddr string) error {
|
|
jwtKey, err := createRandomJWTSecret()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
token, err := createTokenString(jwtKey)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
authTokenPath := filepath.Join(walletDirPath, AuthTokenFileName)
|
|
log.Infof("Generating auth token and saving it to %s", authTokenPath)
|
|
if err := saveAuthToken(walletDirPath, jwtKey, token); err != nil {
|
|
return err
|
|
}
|
|
logValidatorWebAuth(validatorWebAddr, token, authTokenPath)
|
|
return nil
|
|
}
|
|
|
|
// Upon launch of the validator client, we initialize an auth token by either creating
|
|
// one from scratch or reading it from a file. This token can then be shown to the
|
|
// user via stdout and the validator client should then attempt to open the default
|
|
// browser. The web interface authenticates by looking for this token in the query parameters
|
|
// of the URL. This token is then used as the bearer token for jwt auth.
|
|
func (s *Server) initializeAuthToken(walletDir string) (string, error) {
|
|
authTokenFile := filepath.Join(walletDir, AuthTokenFileName)
|
|
if file.Exists(authTokenFile) {
|
|
// #nosec G304
|
|
f, err := os.Open(authTokenFile)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
defer func() {
|
|
if err := f.Close(); err != nil {
|
|
log.Error(err)
|
|
}
|
|
}()
|
|
secret, token, err := readAuthTokenFile(f)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
s.jwtSecret = secret
|
|
return token, nil
|
|
}
|
|
jwtKey, err := createRandomJWTSecret()
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
s.jwtSecret = jwtKey
|
|
token, err := createTokenString(s.jwtSecret)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
if err := saveAuthToken(walletDir, jwtKey, token); err != nil {
|
|
return "", err
|
|
}
|
|
return token, nil
|
|
}
|
|
|
|
func (s *Server) refreshAuthTokenFromFileChanges(ctx context.Context, authTokenPath string) {
|
|
watcher, err := fsnotify.NewWatcher()
|
|
if err != nil {
|
|
log.WithError(err).Error("Could not initialize file watcher")
|
|
return
|
|
}
|
|
defer func() {
|
|
if err := watcher.Close(); err != nil {
|
|
log.WithError(err).Error("Could not close file watcher")
|
|
}
|
|
}()
|
|
if err := watcher.Add(authTokenPath); err != nil {
|
|
log.WithError(err).Errorf("Could not add file %s to file watcher", authTokenPath)
|
|
return
|
|
}
|
|
for {
|
|
select {
|
|
case <-watcher.Events:
|
|
// If a file was modified, we attempt to read that file
|
|
// and parse it into our accounts store.
|
|
token, err := s.initializeAuthToken(s.walletDir)
|
|
if err != nil {
|
|
log.WithError(err).Errorf("Could not watch for file changes for: %s", authTokenPath)
|
|
continue
|
|
}
|
|
validatorWebAddr := fmt.Sprintf("%s:%d", s.validatorGatewayHost, s.validatorGatewayPort)
|
|
logValidatorWebAuth(validatorWebAddr, token, authTokenPath)
|
|
case err := <-watcher.Errors:
|
|
log.WithError(err).Errorf("Could not watch for file changes for: %s", authTokenPath)
|
|
case <-ctx.Done():
|
|
return
|
|
}
|
|
}
|
|
}
|
|
|
|
func logValidatorWebAuth(validatorWebAddr, token string, tokenPath string) {
|
|
webAuthURLTemplate := "http://%s/initialize?token=%s"
|
|
webAuthURL := fmt.Sprintf(
|
|
webAuthURLTemplate,
|
|
validatorWebAddr,
|
|
url.QueryEscape(token),
|
|
)
|
|
log.Infof(
|
|
"Once your validator process is running, navigate to the link below to authenticate with " +
|
|
"the Prysm web interface",
|
|
)
|
|
log.Info(webAuthURL)
|
|
log.Infof("Validator CLient JWT for RPC and REST authentication set at:%s", tokenPath)
|
|
}
|
|
|
|
func saveAuthToken(walletDirPath string, jwtKey []byte, token string) error {
|
|
hashFilePath := filepath.Join(walletDirPath, AuthTokenFileName)
|
|
bytesBuf := new(bytes.Buffer)
|
|
if _, err := bytesBuf.Write([]byte(fmt.Sprintf("%x", jwtKey))); err != nil {
|
|
return err
|
|
}
|
|
if _, err := bytesBuf.Write([]byte("\n")); err != nil {
|
|
return err
|
|
}
|
|
if _, err := bytesBuf.Write([]byte(token)); err != nil {
|
|
return err
|
|
}
|
|
if _, err := bytesBuf.Write([]byte("\n")); err != nil {
|
|
return err
|
|
}
|
|
return file.WriteFile(hashFilePath, bytesBuf.Bytes())
|
|
}
|
|
|
|
func readAuthTokenFile(r io.Reader) (secret []byte, token string, err error) {
|
|
br := bufio.NewReader(r)
|
|
var jwtKeyHex string
|
|
jwtKeyHex, err = br.ReadString('\n')
|
|
if err != nil {
|
|
return
|
|
}
|
|
secret, err = hex.DecodeString(strings.TrimSpace(jwtKeyHex))
|
|
if err != nil {
|
|
return
|
|
}
|
|
tokenBytes, _, err := br.ReadLine()
|
|
if err != nil {
|
|
return
|
|
}
|
|
token = strings.TrimSpace(string(tokenBytes))
|
|
return
|
|
}
|
|
|
|
// Creates a JWT token string using the JWT key.
|
|
func createTokenString(jwtKey []byte) (string, error) {
|
|
token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.RegisteredClaims{})
|
|
// Sign and get the complete encoded token as a string using the secret
|
|
tokenString, err := token.SignedString(jwtKey)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
return tokenString, nil
|
|
}
|
|
|
|
// DEPRECATED: associated to Initialize Web UI API
|
|
func createRandomJWTSecret() ([]byte, error) {
|
|
r := rand.NewGenerator()
|
|
jwtKey := make([]byte, 32)
|
|
n, err := r.Read(jwtKey)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if n != len(jwtKey) {
|
|
return nil, errors.New("could not create appropriately sized random JWT secret")
|
|
}
|
|
return jwtKey, nil
|
|
}
|